DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123 ------- Additional Comments From [EMAIL PROTECTED] 2007-11-28 13:23 ------- > > 1) we must always be able to assume that the issuer of the > X509_STORE_CTX_get_current_cert() cert is trusted, since otherwise we wouldn't > get this far? > I'll check the current patch. As things stand I suspect if the server just trusts a root CA and the client sends root->intermediate->EE it will fail to find the intermediate CA because it isn't in the store. > 2) sk_X509_value(X509_STORE_CTX_get_chain(ctx), 1) is not necessarily the > issuer > of the current cert - it might *be* the current cert? > > ...right? Or am I missing something fundamental? > I was missing something. I was assuming the OCSP calls were being made *after* the chain is validated instead of inside the verification callback. If you make OCSP calls inside the verification callback the chain may not be fully trusted when you make the OCSP requests. This would allow a carefully constructed certificate chain to persuade a server to make arbitrary OCSP requests to any URL. Some would regard this as undesirable. > On the CERTID front, if I add > > if (certID) OCSP_CERTID_free(certID); > > it crashes on that line: > Yes, I missed that, sorry. It will be freed when the request is freed. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
